DB: 2016-10-01
1 new exploits Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege
This commit is contained in:
parent
fa1b17f699
commit
2963ce32a0
2 changed files with 47 additions and 0 deletions
|
@ -36562,3 +36562,4 @@ id,file,description,date,author,platform,type,port
|
|||
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0
|
||||
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
|
||||
40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0
|
||||
40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0
|
||||
|
|
Can't render this file because it is too large.
|
46
platforms/windows/local/40442.txt
Executable file
46
platforms/windows/local/40442.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
# Exploit Title: Netgear Genie 2.4.32 Unquoted Service Path Elevation of Privilege
|
||||
# Date: 30/09/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Vendor Homepage: www.netgear.com
|
||||
# Software Link: https://www.netgear.com/home/discover/apps/genie.aspx?
|
||||
|
||||
cid=wmt_netgear_organic
|
||||
# Version: Software Version 2.4.32
|
||||
# Tested on: Windows 7 x86
|
||||
# Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
1. Description:
|
||||
|
||||
Netgear Genie installs a service called 'NETGEARGenieDaemon' with an unquoted service
|
||||
|
||||
path running with SYSTEM privileges.
|
||||
This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system.
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files>sc qc NETGEARGenieDaemon
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: NETGEARGenieDaemon
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 3 DEMAND_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : NETGEARGenieDaemon
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their
|
||||
code in the system root path undetected by the OS or other security applications
|
||||
where it could potentially be executed during application startup or reboot.
|
||||
If successful, the local user's code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
Loading…
Add table
Reference in a new issue